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Abstract:  Enforcement  of  a  high-level  statement  of  security  policy  may  be  difficult  to  discern 
when  mapped  through  functional  requirements  to  a  myriad  of  possible  security  services  and 
mechanisms  in  a  highly  complex,  networked  environment.  A  method  of  articulating  network 
security  functional  requirements,  and  their  fulfillment,  is  presented.  Using  this  method,  security  in 
a  quality  of  service  framework  is  discussed  in  terms  of  “variant”  security  mechanisms  and 
dynamic  security  policies.  For  illustration,  it  is  shown  how  this  method  can  be  used  to  represent 
Quality  of  Security  Service  ( QoSS)  in  a  network  scheduler  benefit  function1. 


1  Introduction 

Several  efforts  are  underway  to  develop  middleware  systems  that  will  logically  combine  net¬ 
work  resources  to  construct  a  “virtual”  computational  system  [4]  [7]  [8] .  These  geographically 
distributed,  heterogeneous  resources  are  expected  to  be  used  to  support  a  heterogeneous  mix  of 
applications.  Collections  of  tasks  with  disparate  computation  requirements  will  need  to  be  effi¬ 
ciently  scheduled  for  remote  execution.  Large  parallelized  computations  found  in  fields  such  as 
astrophysics  [14]  and  meteorology  will  require  allocation  of  perhaps  hundreds  of  individual  pro¬ 
cesses  to  underlying  systems.  Multimedia  applications,  such  as  voice  and  video  will  impose 
requirements  for  low  jitter,  minimal  packet  losses,  and  isochronal  data  rates.  Adaptive  applica¬ 
tions  will  need  information  about  their  environment  so  they  can  adjust  to  changing  conditions. 

User  acceptance  of  these  virtual  systems,  for  either  commercial  or  military  applications,  will 
depend,  in  part,  upon  the  security,  adaptability,  and  user-responsiveness  provided.  Several  of  the 
projects  engaged  in  building  the  middleware  to  create  these  networks  are  pursuing  the  integration 
of  security  [6]  [10]  [22]  and  quality  of  service  [1]  [16]  into  these  systems.  The  need  for  virtual 
networked  systems  to  both  adapt  to  varying  security  conditions,  and  offer  the  user  a  range  of  secu¬ 
rity  choices  is  apparent. 

In  the  network  computing  context,  users  or  user  programs  may  request  the  execution  of  “jobs,” 
which  are  scheduled  by  an  underlying  control  program  to  execute  on  local  or  remote  computing 
resources.  The  execution  of  the  job  may  access  or  consume  a  variety  of  network  resources,  like: 
local  I/O  device  bandwidth,  internetwork  bandwidth;  local  and  remote  CPU  time;  local,  interme¬ 
diate  (e.g.,  routing  buffers)  and  remote  storage.  The  resource  usages  may  be  temporary  or  persis- 
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tent.  As  there  are  multiple  users  accessing  the  same  resources,  there  are  naturally  various 
allotment,  contention,  and  security  issues  regarding  use  of  those  resources. 

The  body  of  rules  for  resolving  network  security  issues  is  called  the  network  security  policy, 
whereas  the  body  of  rules  for  resolving  network  contention  and  allotment  comprise  a  network 
management  policy  (which  is  sometimes  taken  to  include  the  network  security  policy).  These  pol¬ 
icies  consist  of  broad  policy  jurisdictions,  such  as  scheduling,  routing,  access  control,  auditing, 
and  authentication.  Furthermore,  these  jurisdictions  can  be  decomposed,  typically,  into  functional 
requirements,  such  as,  “users  from  network  domain  A  must  not  access  site  B,”  and  “user  C  must 
receive  a  certain  quality  of  service.”  The  network  management  and  security  policies,  as  mapped 
through  the  functional  requirements,  may  be  manifested  in  mechanisms  throughout  the  network, 
including:  host  computer  operating  systems,  network  managers,  traffic  shapers,  schedulers,  rout¬ 
ers,  switches  and  combinations  thereof.  As  these  mechanisms  are  distributed  and  are  often 
obscurely  related,  there  has  been  some  interest  in  the  ability  to  express  and  quantify  the  level  of 
support  for  security  policy  and  Quality  of  Security  Service  (QoSS:  managing  security  and  secu¬ 
rity  requests  as  a  responsive  "service"  for  which  quantitative  measurement  of  service  “efficiency” 
is  possible)  provided  in  networked  systems. 

The  purpose  of  this  paper  is  to  present  a  system  for  describing  functional  requirements  for  net¬ 
work  security  policies,  to  show  how  QoSS  parameters  and  mechanisms  can  be  represented  in  such 
a  system,' and  to  provide  an  example  of  the  use  of  this  system.  The  remainder  of  this  paper  is  orga¬ 
nized  as  follows.  Section  2  discusses  a  “security  vector”  for  quantifying  functional  support  of  net¬ 
work  security  policy.  Section  3  describes  how  the  security  vector  can  be  used  for  expressing  the 
effects  of  QoSS  in  a  network-scheduling  benefit  function;  and  a  conclusion  follows  in  Section  4. 

2  Network  Security  Vector 

A  network  security  policy  can  be  viewed  as  an  n-dimensional  space  of  functional  security 
requirements.  We  represent  this  multidimensional  space  with  a  vector  (S)  of  security  components. 
Each  component  (S.c)  specifies  a  boolean  functional  requirement,  whereby  the  instantiation  of  a 
network  job  either  meets  (possibly  trivially)  or  does  not  meet  each  of  the  requirements.  By  con¬ 
vention,  a  security  vector’s  components  are  ordered,  so  they  can  be  referenced  ordinally  (S.3)  or 
symbolically  (S.c).  A  component  may  indicate  positive  requirements  (e.g.,  communications  via 
node  n  must  use  encryption)  as  well  as  negative  constraints  (e.g.,  users  from  subnet  s  may  not  use 
node  n).  Components  can  also  be  hierarchically  grouped  [21] .  Requirements  for  a  given  security 
service  may  be  represented  by  one  or  more  components  (indicating  a  service  sub-vector),  and  a 
security  service  may  utilize  functions  and  requirements  of  other  services  and  their  components. 

Some  jobs  can  produce  output  in  different  formats,  where  a  given  format  (e.g.,  high  resolution 
video)  might  be  more  resource  consumptive  than  another  format  (e.g.,  low  resolution  video).  For¬ 
mats  may  have  differing  security  requirements,  even  within  the  same  job.  For  example,  a  video¬ 
stream  format  may  require  less  packet  authentication  [18] ,  percentage- wise,  than  a  series  of  fixed 
images  based  on  the  same  data.  A  “quality  of  service”  scheduling  mechanism  might  choose  one 
format  for  a  job  over  another,  depending  on  varying  network  conditions  (e.g.,  traffic  congestion). 
Further,  adaptive  applications  may  select  formats  depending  upon  changing  conditions.  For 
EPSec,  security  association  (SA)  processing  using  ISAKMP  under  IKE  can  permit  complex  secu¬ 
rity  choices  through  an  S  A  payload.  For  example,  the  payload  recipient  may  be  given  transform 
choices  regarding  both  Authentication  Header  and  Encapsulating  Security  Protocol  [13] . 

The  set  of  all  jobs  is  represented  by  J.  The  set  of  all  formats  is  represented  by  I.  The  notation 
Sy  identifies  a  vector  containing  the  portions  of  S  that  are  applicable  to  job  j  in  format  i,  and  Sy.c 
identifies  a  given  component  (c)  of  Sy.  The  relation  of  S  to  Sy  is  clarified  further,  below.  The  fol¬ 
lowing  are  some  informal  examples  of  security- vector  components: 

•  S.  1 :  user  access  to  resource  r  =  RW;  based  on  table  t 
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•  S.2:  %  of  packets  authenticated  >=  50,  <=  90;  inc  10 

•  S.3:  level  (user)  =  level(resource) 

•  S.4:  length  of  confidentiality  encryption  key  >=  64,  <=  256;  inc  64 

•  S.5:  authentication  header  transform  in  {HMAC-MD5,  HMAC-SHA} 

Here,  “inc  10”  indicates  that  the  range  from  50  through  90  is  quantized  into  increments  of  10, 
viz:  50, 60, 70,  80, 90.  Later,  we  will  need  to  indicate  the  number  of  quantized  steps  in  the  compo¬ 
nent;  to  do  this,  one  more  notational  element  is  introduced,  [S.c].  In  the  above  examples,  [5.7]  =  1, 
and  [5.2]  =  5. 

2.1  Variant  Security  Components 

When  [S.c]  >  1,  the  underlying  control  program  has  a  range  within  which  it  may  allow  the  job 
to  execute  with  respect  to  the  policy  requirement.  We  refer  to  this  type  of  policy,  and  component, 
as  “variant.”  Variant  policies  may  be  used  within  a  resource  management  context,  for  example,  to 
effect  adaption  to  varying  network  conditions  [17] .  Also,  if  the  policy  mechanism  is  variant,  the 
control  program  may  offer  QoSS  choices  to  the  user  to  indicate  their  preferences  with  respect  to  a 
given  job  or  jobs.  Without  variant  mechanisms,  neither  security  adaptability  by  the  underlying 
control  program  nor  QoSS  are  possible,  since  fixed  policy  mechanisms  do  not  allow  for  changes 
to  security  within  a  fixed  job/resource  environment.  'While  the  expression  S.c  may  contain  a  com¬ 
pound  boolean  statement  (see  Section  2.2  ),  by  convention  it  may  contain  only  one  variant  clause. 

2.2  Component  Structure 

For  use  in  the  examples  in  this  discussion,  a  component  has  the  following  composition  (see 
Table  1  for  details)1: 

•  component  ::=  boolean  expression,  variant-range-specifier  ;  modifying-clause 

•  boolean  _expression  ::=  boolean_statement  [(or  I  and)  boolean_statement]* 

•  boolean_statement  ::=  LHS  boolean-operator  RHS 


Table  1:  Simple  Component  Elements 


Element  Name 

Example  S.l 

Example  S.2 

Value 

user  access  to  resource  r  =  RW, 
based  on  table  t 

%  of  packets  authenticated 
>=  50,  <=  90;  inc  10 

Instantiated  value 

false 

true 

Value  of  LHS 

user  access  to  resource  r 

%  of  packets  authenticated 

Instantiated  value  of  LHS 

W 

70 

Boolean  operator 

= 

>= 

Value  of  RHS 

RW 

50 

variant  range  specifier 

<=  90 

Modifying  clause 

based  on  table  t 

inc  10 

1.  It  is  not  the  focus  here  to  elaborate  on  a  policy  representation  language.  See  other  efforts  and  works  in 
progress  [2]  [3]  [5]  [15]  . 

i 
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A  given  policy  component  has  a  value  which  is  a  boolean  expression.  This  component  may 
also  have  an  instantiated  value  with  respect  to  a  specific  job  and  format,  which  is  either  “true”  or 
“false.”  A  component  has  a  left  hand  side  (LHS),  which  is  the  item  that  is  being  tested;  of  course 
the  LHS  has  a  value  as  well  as  an  instantiated  value.  A  component  also  has  a  right  hand  side 
(RHS),  which  is  what  the  LHS  is  tested  against,  as  well  as  zero  or  more  modifying  clauses.  Simi¬ 
larly  to  the  LHS,  the  RHS  may  have  a  value  (or  values)  which  is  dependent  on  the  instantiation  of 
the  component. 

2.3  Dynamic  Security  Policies 

With  a  dynamic  security  policy,  the  value  of  a  vector's  components  may  depend  on  the  network 
"mode"  (e.g.,  normal,  impacted,  emergency,  etc.),  where  M  is  the  set  of  all  modes.  There  is,  con¬ 
ceptually,  a  separate  vector  for  each  operational  mode,  represented  as:  smode.  Access  to  a  pre¬ 
defined  set  of  alternate  security  policies  allows  their  functional  requirements  and  implementation 
mechanisms  to  be  examined  with  respect  to  the  overall  policy  prior  to  being  fielded,  rather  than 
depending  on  ad  hoc  methods,  for  example,  during  an  emergency. 

Initially,  every  component  of  S  has  the  same  value  in  each  of  its  modes.  Ultimately,  compo¬ 
nents  may  be  assigned  different  values,  depending  on  the  network  mode.  For  example: 

•  Snormal.b:  user  access  to  network  node  =  granted;  based  on  table  t 

•  simpacted.b:  user  access  to  network  node  =  granted;  based  on  table  t,  OR  UID  in  set  of  adminis¬ 
trators 

•  semergency.b:  UID  in  set  of  {administrators,  policymakers) 

If  a  mode  is  not  specified  for  a  component  (e.g.,  "S.a"),  normal  mode  is  assumed.  This  will  be 
the  case  (i.e.,  the  mode  is  unspecified)  for  the  remainder  of  this  discussion. 

2.4  Refinements  to  S 

R  is  the  set  of  resources  {rj..  rn}.  R y  is  the  subset  of  R  utilized  in  executing  job  j  in  format  i. 

Tj  is  the  requested  completion  time  of  job  j. 

Security  policies  may  be  expressed  with  respect  to  principals  (user,  group  or  role,  etc.,),  appli¬ 
cations,  data  sets  (both  destination  and  source),  formats,  etc.,  as  well  as  resources  in  Ry. 

The  definition  of  Sy  is  finally  refined  as  follows:  Sy  is  a  vector  that  is  an  order-preserving  pro¬ 
jection  of  S,  such  that  a  component  c  from  S  is  in  Sy  if  and  only  if  the  value  of  c  depends  on  for¬ 
mat  i,  job  j,  or  any  r  in  Ry.  The  number  of  components  in  a  security  vector  Sy  is  [Sy]. 

2.5  Summary  of  Security  Vector 

S  is  a  general  purpose  notational  system  suitable  for  expressing  arbitrarily  complex  sets  of  net¬ 
work  security  mechanisms.  S  can  express  variant  policies,  to  allow  security  expressions  of  quality 
of  service  requests,  and  can  have  dynamic  security  elements  to  accommodate  multiple  situation- 
based  policies.  In  particular,  S  can  represent  both  (1)  static  security  requirements  that  may  be 
implemented  in  a  system,  as  well  as  (2)  the  results  of  running  a  particular  job  or  task  against  such 
static  requirements.  The  latter  usage  will  be  examined  in  the  next  section,  to  express  QoSS  in  an 
RMS  benefit  function. 

3  Network-Scheduler  Benefit  Function 

As  discussed  above,  various  mechanisms  exist  for  managing  contention  for,  and  allotment  of 
distributed  network  resources.  One  class  of  these  mechanisms  attempts  to  efficiently  schedule  the 
execution  of  multiple  (possibly  simultaneous)  jobs  on  multiple  distributed  computers  (e.g.,  the 
MSHN  project  [8]  [22]  [23]  [11]  [16] ),  where  each  job  requires  a  determinable  subset  of  the 
resources.  Of  interest  is  a  benefit  function  for  comparing  the  effectiveness  of  such  job  scheduling 
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mechanisms  when  they  are  presented  with  real  or  hypothetical  “data  sets”  of  jobs. 

Jobs  are  assigned  priorities  for  use  in  resolving  resource  contention  and  allocation  issues.  In 
some  systems,  a  job’s  priority  may  depend  upon'the  particular  operating  mode  of  the  network  [8] 

.  Also,  the  different  data  formats  of  a  multiple-format  job  may  have  different  preferences  (e.g., 
assigned  by  a  user  or  “hard  wired”  as  part  of  the  application  or  job-scheduler  database),  and  dif¬ 
ferent  levels  of  resource  usage  [10]  [12].  A  network  job  scheduler  should  receive  more  credit  in 
the  benefit  function  for  scheduling  high  priority  and  high  preference  jobs,  as  opposed  to  low  prior¬ 
ity  or  low  preference  jobs.  That  is  to  say,  a  scheduler  is  intuitively  doing  a  better  job  if  important 
jobs,  as  judged  by  priority  and  preference,  receive  more  attention  than  unimportant  jobs.  How 
much  weight  the  priorities  and  preferences  are  given  is  a  matter  of  network  scheduling  policy. 

We  introduce  a  simple  benefit  function,  B,  to  measure  how  well  a  scheduler  meets  the  goals  of 
user  preference  and  system  priorities  (see  [4] ,  [12]  and  [20]  for  other  approaches).  This  function 
averages  preference  (p)  and  priority  (P)  (use  of  a  priority  and  preference  in  measuring  network 
effectiveness  have  been  introduced  for  the  MSHN  project  [10] ) . 

n  mj 

S  lXij(Pij  +  Pij) 

B=  l=\L=.\ - 

2  n 

Where  the  characteristic  function  X  is  defined  for  i,  j  as: 

Xij  =  1  if  format  i  was  successfully  delivered  to  job  j  within  time  7),  else  0 


and  at  most  one  format  is  completed  per  job:  Vj  e  J 


f  mj 

Vi  =  1 


Jobs  and  formats  are  defined  as  above,  and  P]  is  the  priority  of  job  j,  and  0  <  P;-  <  1 , 

The  formats  for  a  job  are  assigned  preferences  ip)  by  the  user,  0  <=p  <=  1: 
m}  is  the  number  of  [format,  preference]  pairs  assigned  for  job  j 

Pij  is  the  preference  the  user  has  assigned  to  format  i,  job  j 

mi 

the  preferences  for  a  job  add  up  to  1:  Vjr  e  J :  £  Pij  =  l 

i  =  i 

This  approach  assumes  that  users  will  assign  preference  values  that  correspond  to  resource 
usage,  since  we  want  the  benefit  function  to  indicate  a  higher  value  when  the  scheduler  suc¬ 
ceeds  in  scheduling  “harder”  jobs  [12] . 


3.1  Adding  Security  to  the  Benefit  Function 

We  wish  the  benefit  function  to  reflect  the  effectiveness  and  restrictions  of  the  security  policy. 
First,  we  define  the  characteristic  security  function  Z,  for  i  and  j: 

Zij  =  1  if  the  instantiated  value  of  all  components  in  Sy  are  true,  else  0 

The  numerator  of  the  benefit  function  is  multiplied  by  Z,  so  that  no  credit  is  given  for  jobs  that 
fail  to  meet  the  security  requirements: 


n  mj 

I  I  WVftP 


Now,  for  variant  components,  we  wish  to  be  able  to  give  less  credit  to  the  scheduler  for  fulfill¬ 
ing  less  “difficult”  security  requirements.  One  algorithm  for  expressing  this  is  for  each  instanti¬ 
ated  component  (c)  in  Sy  to  be  assigned  a  security  completion  token  (g)  where  0  <  g  <  1 .  gc  will 
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indicate  the  completion  token  corresponding  to  component  S.c.  gc  is  defined  to  be  the  “percent¬ 
age”  of  [S.c]  met  or  exceeded  by  the  instantiated  value  of  the  component’s  LHS  (notated  as  S.c”): 
gc  =  S.c”  /[S.c\ 

To  illustrate  the  calculation  of  gj,  for  component  S.  1 : 

S.l:  %  of  packets  authenticated  >=  50,  <=  90;  inc  10 

[S.  1]  =  5  ( the  number  of  quanta  in  S.  1 ),  S.  1”  =  3  ( the  job  achieves  the  3rd  quantum  (70)) 

g]  =  3/5  =  0.6 

For  invariant  components,  g  =  1  or  g  =  0.  A  token  (g)  whose  value  is  0  represents  a  job  “fail¬ 
ing”  the  component’s  security  policy.  Recall  that  Z  will  be  0  when  the  job/format  fails  to  meet  the 
requirement  of  any  security  component,  meaning  that  the  function  returns  no  benefit  value  for  that 
job/format.  We  introduce  a  function  (A)  which  averages  the  tokens  of  a  job: 

Aij  =  iSl  +  82  +  ••  +  Sn)/n 

where  n  =  [Sy]  —  the  number  of  components  in  Sy  and  (0  <  A-  <  1) 

We  weight  the  tokens  (g)  assigned  to  individual  security  components,  whereby  each  gn  has  a 
corresponding  integer  weight  (wn),  wc  >=  0.  So  Aij  becomes: 

Ay  =  (gjW]  +  g2w2  +  ..+  gnWn)/(wj  +  w2  +  ..+  wn) 

The  component  weighting  factors  allow  the  benefit  function  to  give  more  weight  to  compo¬ 
nents  that  are  “more  important”  than  others,  e.g.,  reflecting  network  management  policies. 

In  the  final  expression  of  the  network  benefit  function,  A  is  added  to  the  numerator,  providing 
an  average  of  security,  priority  and  preference. 


n  mj 

I  £ 


B=  iziizl 


3  n 


0  <  B  <  1  ,  where  1  indicates  the  maximum  scheduling  effectiveness. 


4  Discussion  and  Conclusion 

A  security  vector  has  been  presented  for  describing  functional  requirements  of  network  secu¬ 
rity  policies.  It  has  been  shown  that  this  vector  can  be  used  for  representing  security  with  respect 
to  both  quality  of  service  and  a  network  scheduler  benefit  function. 

We  are  involved  in  ongoing  work  to  organize  the  vector  into  a  “normal  form”  with  sub- vectors 
or  hierarchies  corresponding  to  policy  jurisdictions  (such  as:  scheduling,  routing,  access  control, 
auditing,  and  authentication)  and  to  incorporate  a  costing  methodology  for  security  components, 
such  as  can  be  provided  to  a  resource  management  system  [9] .  We  are  working  to  develop  a 
means  of  adjusting  the  preference  expression  with  a  notion  of  the  corresponding  resource  usage 
[12] .  We  are  considering  how  to  expand  the  security  benefit  function  (A)  to  reflect  user  quality  of 
security  service  choices  within  the  range  allowed  by  variant  security  components,  and  to  reflect 
performance  implications  of  redundant  security  mechanisms. 

The  organizational  security  policy  [19]  governing  the  network  may  allow  individuals  or  princi¬ 
pals  representing  them  to  override  rules  represented  by  invariant  security  vector  components.  For 
example,  a  military  commander  might  decide  to  forgo  cryptographic  secrecy  mechanisms  for  a 
job  in  an  emergency  (e.g.,  to  improve  network  performance),  even  though  the  system  has  not  been 
configured  with  “dynamic”  or  “variant”  security  mechanisms,  as  defined  herein.  From  the  per¬ 
spective  of  the  security  vector  S  and  the  benefit  function,  this  is  a  change  or  violation  of  the  com¬ 
puter  security  policy,  which  is  not  represented  within  the  notation.  It  is  recommended  that  this 
type  of  policy  change  be  audited. 
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